As part of our compliance with the Payment Card Industry (PCI) Security Council's Data Security Standards (DSS), ThousandEyes will be deprecating the use of TLS version 1.0 within our infrastructure. TLS is the protocol which provides authentication and encryption for HTTPS URLs. Most notably, web servers for customer-facing services such as api.thousandeyes.com and app.thousandeyes.com will no longer support the use of TLS version 1.0 (sometimes referred to as SSL version 3.1). The current version of TLS is 1.2, and the PCI DSS also permits use of TLS 1.1.
Customers who use older clients which cannot support these versions will need to upgrade the clients to communicate with ThousandEyes. The deadline for PCI DSS compliance is June of 2018, but ThousandEyes intends to achieve compliance by January of 2018.
Identifying TLS 1.0 clients
Clients which require upgrading are most commonly API clients whose underlying TLS libraries have not been updated. We will work with customers in the coming months to identify these clients through log analysis.
Both browser and API clients may be tested using an online TLS analysis tool such as:
- https://www.ssllabs.com/ssltest/viewMyClient.html for browsers
- https://www.howsmyssl.com/s/api.html for API clients
Alternatively, capturing the client's packets with a tool such as tcpdump or Wireshark can also provide the TLS version in the TLS handshake of the session. When inspecting packet captures, be sure to note the version from the TLS Client Hello message, not from the TLS Record layer. The Wireshark image below shows the relevant version field in green and the non-relevant version field in red:
In the above example we see that this connection is a TLS 1.2 connection, as indicated by the Client Hello Version field (hexidecimal 0303) even though the Record Layer Version field contains a value for TLS 1.0 (hexidecimal 0301). The relevant field is the Client Hello Version.
A Wireshark display filter to locate packets with TLS 1.0 in the Client Hello Version field is:
ssl.handshake.version == 0x0301Clients whose packets match this display filter are using TLS 1.0 and must be upgraded to a newer version of TLS to communicate with ThousandEyes after the aforementioned deadline.